2019 Healthcare Data Breach Report

According to the Department of Health and Human Services’ Office for Civil Rights breach portal statistics, 2019 saw a 196% increase in healthcare data breaches from 2018. There were 510 healthcare data breaches involving 500 or more records reported last year.

Except for 2015, the number of healthcare data breaches went up each year since October 2009 when the HHS’ Office for Civil Rights first began posting breach summaries.

In 2019, breached records increased by 37.47% from 2018. There were 41,335,889 records in 2019 and 13,947,909 records in 2018.

2019 had more data breaches reported compared to any other year in history including 2009 to 2014. It also had the second-highest number of breached records. In 2019, about 12.55% of the U.S. population had their healthcare records exposed, stolen or impermissibly disclosed.

2019’s Biggest Healthcare Data Breaches

The following list exhibits the top 20 healthcare data breaches of 2019:

If a business associate encounters a data breach, it does not always report the incident. Sometimes a business associate and the covered entities experience the same breach but report it separately, like the case with American Medical Collection Agency (AMCA).

The biggest problem area in 2019 for healthcare organizations is the security of email systems and the prevention of phishing attacks. The email incidents consist of misdirected emails, yet the largest percentage of email incidents were due to phishing and spear-phishing attacks.

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

Healthcare Data Breaches by State in 2019

The 48 states, Washington DC, and Puerto Rico had HIPAA-covered entities or business associates reporting data breaches. Texas reported the most number of breaches with 60. Next was California with 42 data breaches reported. North Dakota and Hawaii were the only states that did not report data breaches involving 500 or more records.